WRT54GS v.1.0 JTAG via TUMPA: Impossible to erase CFE

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
Tornado
DD-WRT Developer/Maintainer


Joined: 07 Jun 2006
Posts: 2087
Location: Odessa, Ukraine

PostPosted: Mon Oct 10, 2011 22:51    Post subject: Reply with quote
hehehe, your funny. Yep, I'm back in the U.S. - and almost set-up. I will start participating again, I would ask that anyone that has to manually choose a flash chip send me the output of -probeonly /flash_debug, I want to kill this old bug, but will need your help.
_________________
Want JTAG support - Donate a router
or Donate with PayPal !

My preferred parallel jtag adapter:
TIAO Parallel adapter

Tjtag website - http://tjtag.com

Compiling DD-WRT on:
AMD Phenom II X6 1090T @ 3926.667 Mhz

Aptosid X64 - Debian SID X64
Ubuntu 10.10 X64 - Arch X64
Sponsor
funk
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 6

PostPosted: Tue Oct 11, 2011 23:48    Post subject: Reply with quote
Thanks for chiming in guys, I'm just an artist with a bricked router, hexadecimals and switches ain't my forte Confused.

Issuing a -backup:nvram with no switches at all, gave me the following nvram.bin. I saw the FFs in the beginning and called it good, but scroll down to Offset: 00018000 , and I can see the contents of the nvram that bricked it in the first place (wrong cpu clock value).

I've found a WRT54GS-specific note that states its different flash offsets, not sure if it is directly related to what I'm facing though.

@Tornado, how low should the speed be? I'd include an output but there's no /flash_debug in zjtag yet.



NVRAM.BIN
 Description:

Download
 Filename:  NVRAM.BIN
 Filesize:  128 KB
 Downloaded:  775 Time(s)

LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7632

PostPosted: Wed Oct 12, 2011 2:02    Post subject: Reply with quote
funk wrote:

Issuing a -backup:nvram with no switches at all, gave me the following nvram.bin. I saw the FFs in the beginning and called it good, but scroll down to Offset: 00018000 , and I can see the contents of the nvram that bricked it in the first place (wrong cpu clock value).



If the cpu clock value is your only problem then use a hex editor to correct it, then write back the nvram.

_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Wed Oct 12, 2011 14:39    Post subject: Reply with quote
LOM wrote:
funk wrote:

Issuing a -backup:nvram with no switches at all, gave me the following nvram.bin. I saw the FFs in the beginning and called it good, but scroll down to Offset: 00018000 , and I can see the contents of the nvram that bricked it in the first place (wrong cpu clock value).



If the cpu clock value is your only problem then use a hex editor to correct it, then write back the nvram.


Me thinks the OP is having a problem writing.. All that needs to happen is to erase nvram (which is also writing) but I gather the OP's problem is he is unable to write to the flash chip.

Is serial console an option (to the op)?. You can erase nvram there also.

_________________
[Moderator Deleted] Shocked
funk
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 6

PostPosted: Wed Oct 12, 2011 22:48    Post subject: Reply with quote
Yep, looks like I have issues writing/flashing back to the router, at least in the right offsets.

Code:
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0089 : 0017)
*** Found a Intel 28F640J3 4Mx16       (8MB) Flash Chip from Intel

    - Flash Chip Window Start .... : 1C000000
    - Flash Chip Window Length ... : 00800000
    - Selected Area Start ........ : 1C7E0000
    - Selected Area Length ....... : 00020000


checking the contents of nvram.bin with a hex editor I see that the unerased area starts @ 00018000 and ends @ 0001A377, length= 2378 (the rest of nvram.bin is FF'ed)

How do I point zjtag to erase that particular portion? erase:custom /start:00018000 /length:2378 ?

barryware, I don't get anything coming out the serial port Sad
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7632

PostPosted: Wed Oct 12, 2011 22:56    Post subject: Reply with quote
funk wrote:

How do I point zjtag to erase that particular portion? erase:custom /start:00018000 /length:2378 ?



You can't do that, flash chips are not erased by bytes but by flash sectors.
A sector is 128KByte in this chip so that is your smallest erase size.

_________________
Kernel panic: Aiee, killing interrupt handler!
gowrt
DD-WRT Novice


Joined: 01 Nov 2011
Posts: 2

PostPosted: Tue Nov 01, 2011 14:05    Post subject: Reply with quote
try to slow down a bit:

zjtag -backup:nvram /L1:5

see:

http://www.tiaowiki.com/w/Debrick_Wireless_Router_Using_TUMPA_and_zJTAG

Scroll to bottom:

Quote:

If flash doesn't work or erase doesn't work, try to lower the speed by giving a larger divider, e.g. in my case, use

/L1:4

will decrease TCK to 6Mhz.
funk
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 6

PostPosted: Tue Nov 01, 2011 14:48    Post subject: Reply with quote
Thanks for your thoughts gowrt,

I tried lowering the speed up to L1:10 to no avail. It's still impossible to write to the flash reliably (or at @ the right offsets)
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7632

PostPosted: Tue Nov 01, 2011 16:47    Post subject: Reply with quote
funk wrote:
Thanks for your thoughts gowrt,

I tried lowering the speed up to L1:10 to no avail. It's still impossible to write to the flash reliably (or at @ the right offsets)


You don't have to worry about flash offsets, the program understood where nvram resided when you did a backup and it will understand it when you do a write, just substitute backup with write on your cmd line.

You have to hexedit the nvram backup file, changing the clock value to 125 from whatever you tried to overclock it with. Then save the whole 128KB file as nvram.bin (without date stamps) and do the the jtag write.

_________________
Kernel panic: Aiee, killing interrupt handler!
funk
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 6

PostPosted: Tue Nov 01, 2011 18:15    Post subject: Reply with quote
LOM wrote:
You don't have to worry about flash offsets, the program understood where nvram resided...

Thanks for clearing this up LOM, sounds encouraging Smile


LOM wrote:
You have to hexedit the nvram backup file, changing the clock value to 125 from whatever you tried to overclock it with. Then save the whole 128KB file as nvram.bin (without date stamps) and do the the jtag write.

I tried that too. Will try again, there might be some voodoo going on
gowrt
DD-WRT Novice


Joined: 01 Nov 2011
Posts: 2

PostPosted: Mon Nov 14, 2011 20:23    Post subject: Reply with quote
You can try v0.3 of zJTAG:

http://www.tiaowiki.com/download//file.php?id=34

it added a delay flag:

Quote:

*) /delay - Pause between DMA write actions. Use this if you could not
get a reliable write or erase result. If not specified, default delay
is 50 ms. This option only works with TUMPA USB adapter.


so in your command line, try to add /delay:100 and see how it goes.

thanks
Zumtotal
DD-WRT Novice


Joined: 12 Nov 2011
Posts: 8

PostPosted: Mon Nov 14, 2011 21:00    Post subject: Power supply? Reply with quote
Make sure your power supply is providing enough juice. I tried using a third party one and just couldn't erase nvram properly with tjtag3, whatever switches I used. Then I hooked up the genuine Linksys supply and everything was fine.

Also, on my WRT54GSv1.1 I found I didn't need to use any switches such as /noemw after the erase command.
funk
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 6

PostPosted: Wed Nov 16, 2011 7:36    Post subject: Reply with quote
Thanks guys, the latest version and its delay switch got the job done for me.

I was using the original ps btw.
slemke
DD-WRT Novice


Joined: 16 Jan 2012
Posts: 4

PostPosted: Mon Apr 02, 2012 9:00    Post subject: Reply with quote
Hi!

I have the same problem - pse help Wink

I have already tried the /delay Switch. Here is my actual command line:

zjtag -erase:cfe /L1:5 /delay:100 /nocfi

I have tried it with a Intel 28F128J3 (16MB) and 28F640J3 (8MB) without luck.

Also tried L1:10 and delay:999 without success.

The hardware is ok - using a xilinx-parallel cable and wrt54.exe is working fine.

Power Supply is original.

Thanks,
Sebastian
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7632

PostPosted: Mon Apr 02, 2012 10:33    Post subject: Reply with quote
slemke wrote:

The hardware is ok - using a xilinx-parallel cable and wrt54.exe is working fine.



I suppose your problem is solved then?

_________________
Kernel panic: Aiee, killing interrupt handler!
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum